Sam Kuper
2022-Jan-05 17:36 UTC
GDPR/sender-ip (was: make received-header on submission optional or at least drop the ip in it)
On Wed, Jan 05, 2022 at 06:00:31PM +0100, John Fawcett wrote:> my understanding of the GDPR legislation is that it defines what is > considered lawful processing. One of those items that makes the > processing lawful is consent.Not necessarily. An action that would not be lawful without consent is not automatically made lawful with consent, including under GDPR.> If I send an email to a public mailing list I think it's fair to say > that I am providing consent.Again, not necessarily. First of all, consent cannot necessarily be assumed. Secondly, a person sending an email to a mailing list might very well consent for the mailing list's recipients to receive the content, subject, and reply address of that email - but *not* the IP address from which it was sent. Sam -- A: When it messes up the order in which people normally read text. Q: When is top-posting a bad thing? () ASCII ribbon campaign. Please avoid HTML emails & proprietary /\ file formats. (Why? See e.g. https://v.gd/jrmGbS ). Thank you.
John Fawcett
2022-Jan-05 18:00 UTC
GDPR/sender-ip (was: make received-header on submission optional or at least drop the ip in it)
On 05/01/2022 18:36, Sam Kuper wrote:> On Wed, Jan 05, 2022 at 06:00:31PM +0100, John Fawcett wrote: >> my understanding of the GDPR legislation is that it defines what is >> considered lawful processing. One of those items that makes the >> processing lawful is consent. > Not necessarily. > > An action that would not be lawful without consent is not automatically > made lawful with consent, including under GDPR. >Correct there could be other reasons that make processing unlawful. However, GDPR will allow processing if the data subject consents and I think taht is what we are talking about in this thread.> >> If I send an email to a public mailing list I think it's fair to say >> that I am providing consent. > Again, not necessarily. > > First of all, consent cannot necessarily be assumed.Correct that it cannot necessarily be assumed. But in this case I think it would be fair to assume it when someone sends an email to a public mailing list that consent has been given. I cannot see how having sent an email to a public mailing list I can then object to people processing it. Although it's not a question about GDPR, if I DID then change my mind, I cannot see a technical way to enforce it.> > Secondly, a person sending an email to a mailing list might very well > consent for the mailing list's recipients to receive the content, > subject, and reply address of that email - but *not* the IP address from > which it was sent.Correct. That is why I mentioned as an alternative "request that your users consent to the processing of the data".> > > Sam > >